For many industrial control systems (ICS), trust has historically been assumed. They were designed with a presumption that the asset owner and manufacturers knew what should and should not be trusted as critical to their systems. As we continue in an era of OT and IT convergence, OT organizations today have to move from presumed trust to “assume intrusion,” where nothing is trusted without verification and minimal access is granted.
In this blog, Fortinet OT Field CISO, Willi Nelson, joins Dawn-Marie Hutchinson, CISO at BAT; Matt Bunch, Sr. Director of IT Information Security at Tyson; and Ben Byford, CISO at CPS Pharma, explore the zero-trust mindset necessary across OT and IT to secure modern and legacy solutions while supporting secure remote access.
How would you define zero trust today?
Dawn-Marie Hutchinson: I would say zero trust is less about authorizing and authenticating every user, every time, for every asset, and more about securing your entire foundation. For example, years ago, cybersecurity was about locking the front door of your home and ensuring that the outside of your home was protected so you could move around comfortably and feel secure. Zero trust is about securing not just your home but everything related to that; like where your children go to school, your car, and everything outside of your home.
Ben Byford: I agree, most of the time people overcomplicate zero trust. When you get down to it, it’s what you own, where that stuff lives, who’s using it, and how you authenticate traffic in those applications across your network. It starts with asset management, access controls, and role-based access. Many companies will try to solve it all at once. Small and midsize organizations especially should take a piecemeal approach. Consider where to start, what’s your foundation, and how you can build on that foundation.
Matt Bunch: Zero trust is a set of techniques that organizations can use and, depending on the very diverse set of assets in an organization and where connections are coming from, security leaders have to tackle the problem in different ways depending on what is best for that specific environment.
What is the difference between zero trust in IT and OT environments?
Matt: They’re different and you need to understand the risks differently. For example, am I going to require MFA every time a frontline worker needs to go up to an HMI? No, because that kills productivity and does not create a frictionless environment for them. But what if I can create an environment where they can use a badge, facial authentication, or some other mechanism that will authenticate them for the work environment and check if they are even trained to be utilizing that equipment safely? There are other things that we can build into these authentication mechanisms that will help enable the business to meet even other needs, but it is important to approach OT a little differently.
Ben: I think overall, the approaches are very similar but the risk mitigation strategies are much different between IT and OT. If you have an OT environment and one of your major pieces of equipment or systems goes down, there are millions of dollars on the line. In comparison to IT, the main concern is if someone is going to infiltrate your systems and steal your data. Every company will have different risk mitigation strategies suited to its needs and will pool its resources in different places. That is the biggest thing to account for when looking at zero trust and risk mitigation in IT and OT.
How do you build a strong asset management program to support something like zero trust?
Matt: Many organizations know that building a list of assets and a CMDB is a challenge. There are so many different siloed views of what an asset is, so security organizations are in a very unique position where we should have visibility to everything. Because of that, maybe there are tools and cabling abilities that can help the rest of the IT organization look at the environment differently so that we can better manage those IT assets.
Ben: When we talk about zero trust, immediately our minds go to technology. What are the technologies we’re going to implement? Who owns asset management? Who do we have to partner with to help with that asset management? There is so much to consider about the data inventory as well. Where does your data live? What databases do you have? Where is that data going in the environment? So it’s not just the technology but also the people and processes needed to make that technology more effective.
How ready are C-level executives to implement zero trust?
Ben: Speaking from a small and mid-sized organization’s perspective, they often have to deal with legacy technology, which is a challenge for them. As a CISO, or as someone who is an advocate for zero trust, you have to come up with a plan. You have to come up with it one step at a time and in some cases, that has to be a multi-year approach. I think that many corporations, especially those who have boards today, are ready for that because even though they’re not hearing about zero trust, they’re hearing about identity. And they know the importance of that. So if you can take the importance of identity and tie it back to the importance of zero trust and have that conversation, that is an opening into having zero trust implementation as an option.
Matt: Organizations are already on the journey. Are they ready to embrace it? Absolutely. But they’re already on that journey because they don’t necessarily know that their access control or their network segmentation or their MFA project is a component of building a zero-trust environment. So helping them understand the journey is the most important piece.
Dawn: Zero trust is not a business; it is a technology solution. I wouldn’t approach my management and say, “This is what I would like to see and what the investment is.” I’m focused more on what our business risks are and what zero trust can securely bring to our network capabilities. It’s about delivering secure access to anything from anywhere, at any time, and on any device for the business.
What other teams should be involved when it comes to asset management and zero trust?
Matt: Realistically, all teams have a role to play, and defining roles and relationships within that organization is necessary. Meaning, most teams, operationally, have to have some level of responsibility.
Dawn: As a cybersecurity team, we need visibility, we need the data to be good and accurate and timely, but we are not the owners of that data all the time. That is a service that is provided to us, and I think to an extent, asset management isn’t well managed in most companies, and it is probably one of the more complicated components of our job. Asset management and even access management are fundamental to solving certain issues and are critical to our role, but at the end of the day, security doesn’t own it.
Ben: Especially in larger enterprises, where you have multiple functions, you’re also going to have an internal audit function. What role does that internal audit function play in ensuring that the policies and procedures are being followed, ensuring that those assets are being tracked? What about compliance and privacy? Many people look at zero trust as security and infrastructure and stop there. And it’s not, it has to be a holistic approach to the entire problem, or you’re only solving pieces of it over time and not addressing the entire issue.
Resources: Applying a Zero Trust Mindset to Securing Industrial Control Systems
For Free consultancy PLEASE CLICK HERE